Understanding HIPAA violations and breaches

HIPAA requires healthcare providers to protect patient data. Knowing which actions qualify as violations and breaches enables providers to reduce legal risks and safeguard patient data by identifying vulnerabilities and implementing suitable protective measures.

Definition and examples of HIPAA violations

A HIPAA violation is an event that causes non-compliance with the rules and regulations of HIPAA. This violates any one or more of the Security rule requirements. These could include:

• Unauthorized access (such as sharing PHI with unauthorized persons)
• Inadequate security measures (failure to monitor access to PHI)
• Mishandling patient information (Not providing secure encryption during the transit of data)

Read more: What is a HIPAA violation?

Consequences of HIPAA violations

HIPAA violation penalties vary based on the severity of the offense, categorized as civil or criminal penalties. Both of these penalties are enforced by the U.S. Department of Health and Human Rights Services Office for Civil Rights. 

Civil penalties

These are divided into four tiers:

• Tier 1: No knowledge of the violation (inadvertent violations without intent)
• Tier 2: Reasonable cause (violation occurred when a healthcare provider, as a covered entity, either knew or could have reasonably known that their action went against administrative processes, but did not commit willful negligence)
• Tier 3: Willful negligence promptly corrected (a violation intentionally committed but corrected within 30 days)
• Tier 4: Willful negligence not promptly corrected (not corrected within 30 days)

Criminal penalties

Criminal degree violations of HIPAA are handled by the Department of Justice (DOJ) and involve the intentional obtaining or disclosure of protected health information (PHI). The severity of the offense determines the penalties imposed.

Knowingly obtaining or disclosing PHI: 

• Fine: Up to $50,000; 
• Imprisonment: Up to 1 year

False representation in obtaining or Disclosing PHI:

• Fine: Up to $100,000; 
• Imprisonment: Up to 5 years

Obtaining or Disclosing PHI with Intent to Sell, Transfer, or Use for Malicious Purposes:

• Fine: Up to $500,000; 
• Imprisonment: Up to 10 years

Note: these penalties apply to criminal violations involving intentional and malicious actions related to individually identifiable PHI.

What Constitutes a HIPAA Breach?

A breach is a distinct category of violation with a narrower definition. It entails the unauthorized use or disclosure of PHI, compromising its security or privacy. This specifically violates the privacy and security of PHI in a way that is not permitted under HIPAA's Privacy Rule.

Under the Breach Notification Rule, covered entities, as well as business associates, are obligated to notify the Health and Human Services (HHS) and, in certain circumstances, the media when a breach occurs. 

Unless a covered entity or business associate can demonstrate a low probability of compromised information based on a risk assessment, any such unauthorized use or disclosure is considered a breach. 

Performing a risk assessment

During a risk assessment to determine if a breach has occurred, the following questions need to be addressed:

• What is the nature and extent of the protected health information (PHI) involved, including the types of identifiers and the likelihood of re-identification?
• Who accessed or used the PHI?
• Was the PHI actually acquired or viewed?
• To what extent has the risk been mitigated?

Read more: What is a HIPAA risk assessment?

Consequences and notifications for breaches

Notifications to affected patients are required only in cases where there is a breach of unsecured PHI that compromises its privacy and security through unauthorized use or disclosure. It is important to emphasize that the notification obligation applies specifically to breaches that meet these criteria.

The patient should receive a notification of the breach of unsecured PHI through first-class mail or email. Individual notices must be sent within 60 days of discovering the breach.

Furthermore, breaches impacting 500 or more individuals in the same state necessitate the covered entity to provide notice to prominent media outlets. This ensures that the public is informed about such significant breaches.

Breaches affecting fewer than 500 patients should be reported to the HHS on an annual basis. Covered entities must notify the Secretary of the HHS promptly if a breach affects 500 or more individuals, within 60 days of the breach.

The difference between violations from breaches

Distinguishing between violations and breaches, it is important to note that breaches entail more significant financial and criminal consequences compared to violations. This is due to the heightened seriousness associated with breaches, resulting in notable increases in fines and penalties. A key factor is that a violation can lead to a breach. 

While any action in non-compliance with HIPAA can be considered a violation, a breach specifically involves the unauthorized access, use, or disclosure of PHI. 

To illustrate, A HIPAA violation refers to any non-compliance with the rules and regulations set out by HIPAA. This could be due to not having the necessary safeguards to protect patient health information, not conducting a risk analysis, improper disposal of patient health records, unauthorized access to patient information, or sharing patient information without consent.

A HIPAA breach, on the other hand, is a specific type of HIPAA violation. It occurs when there is an unauthorized access, use, disclosure, or acquisition of Protected Health Information (PHI) in a manner not permitted under the HIPAA Privacy Rule, which compromises the security or privacy of the PHI.

Examples of the difference between a HIPAA violation and a breach

1. If a hacker breaks into a hospital's electronic health record system and steals patient data, that's a HIPAA breach. Similarly, if a hospital employee accidentally emails a document containing patient health information to the wrong person, that's also a HIPAA breach.

2. A hospital employee accidentally leaves a patient's medical file unattended on a public transportation seat. Another passenger notices the file and realizes it contains sensitive medical information. Once a patient opens the document a breach has occurred. 
3. Imagine a nurse accidentally sends a patient's medical records to the wrong email address. This is a HIPAA violation because it involves the improper disclosure of the patient's protected health information (PHI) to an unauthorized recipient. Once the unauthorized recipient opens the document it is considered a breach.

So, the difference is that a HIPAA violation can be any action (or lack of action) that goes against HIPAA rules. A HIPAA breach is a specific kind of violation that involves unauthorized access, use, or disclosure of protected health information.